It seems like a week doesn’t go by that I don’t read about sensitive patient information being stolen, leaked or otherwise disclosed by a healthcare provider. A recent event occurred in Fort Bend County, Texas where staff employed at various healthcare facilities used information obtained from patient records to steal their identities and obtain fraudulent pay-day loans. In all the group managed to steal more than $230,000.

Criminals are focusing more and more on healthcare providers because they typically maintain a treasure trove of sensitive information that can be useful for committing identity theft. This includes social security numbers, credit card information, drivers license numbers, patient addresses: basically all the information a criminal would need to steal somone’s identity. And based on my experience, many healthcare providers do not take adequate measures to ensure this information is secured. This is especially true of small providers who often fail to understand the risks associated with collecting, storing and transmitting this type of information.

Below is a list of Do’s and Don’ts that all healthcare providers should follow to protect their sensitive patient data. This is by no means an exhaustive list, but should get you started down the right path.

Don’t collect any sensitive data that you do not absolutely need. If you don’t need your patients’ SSN, don’t ask for it. Use other unique patient identifiers.

Don’t transmit any sensitive patient information without using encryption. This includes diagnosis and treatment information as well as information that could be used by identity thieves.

Don’t share one computer account for all staff to use simply because it is too much of a hassle to create individual userids for each staff member.

Do use appropriate access controls to ensure that staff only have access to the data they need in order to perform their job.

Do make sure all your computers have up-to-date anti-virus and anti-spyware software installed.

Do ensure that your patient data is backed up regularly and that the backups are stored off-site for disaster recovery purposes.

Do perform background checks prior to hiring staff and conduct regular security awareness training to ensure that staff are aware of security and privacy policies.

Don’t assume that HIPAA doesn’t apply to you because it probably does.